62 comments

[ 3.0 ms ] story [ 127 ms ] thread
Mac addresses should be registered with the network and run an endpoint security agent to continue physical access.
Isn't 802.11x the right solution? MAC addresses can be faked easily; 802.11x forces actual authentication (and encryption, IIRC?).
The protocol (802.1x) is a mean of granting/denying access to a network based on a set of rules. It does authentication, which is itself end-to-end encrypted, but it doesn't provide confidentiality, meaning no encryption. Also, I'm not sure, but I believe it doesn't protect againts active MITM attacks (also meaning injecting packets). There's another set of protocols, 802.1AE or MACSec, which should do what you ask.
Mac addresses are useless for security purposes. There really is no right solution using a Pi, everything is on the SD card and there is no encryption possible. It’s a bit too open.
(comment deleted)
A consultant who works with NASA once told me that there was an incident where they had exposed several petabytes of data to the public Internet. Because no one had the storage capability for the data though, they wrote off the security incident completely.
That's pretty hilarious. Reminds me of construction equipment. At some point on some highway, I realized construction machines, materials, and so on are probably pretty expensive, yet they're just left out there without even a tarp to hide them. I guess they're so difficult to move it wouldn't be worth even trying to steal them.
Maybe theft is proportional to value density?
Theft is often a crime of convenience. It’s counterintuitive, but thefts actually tend to go down during recessions. People just don’t leave the house as much, so they don’t have as many opportunities to steal.

Source: good friend was a public defender

They're all tagged with GPS trackers these days. The rare case of heavy equipment like that being stolen almost always results in recovery because of that. I would recommend just trying to steal some parts of the machine, rather than the whole thing. If you do enough research and presell the parts before taking them you would probably get away with it for a while.

Thought exercise only, I ain't cut out for the life of crime.

Hydraulic cylinders would probably be a good place to start, just based on anecdata from seeing equipment down for long, expensive periods of time as cylinders go off for rebuild/reseal/resleeving.
What thieves seem to go for nowdays is the d-gps hardware installed in graders / excavators used in large projects. Very expensive stuff which is easy to hide. A Leica 3d kit is something like $40k...
I've heard the same[1], but that kind of thing seems trivially easy to track down, no?

[1]In fact I was involved on a project where some thieves took a sawzall to the equipment storage conex over the weekend and stole every bit of GPS equipment they could get their hands on. They were pretty quickly tracked down when they tried to offload it though.

Could sell it outside of the country? It does make me wonder.
Lojack has often been installed on construction equipment since the 80s or 90s.
They even often all share the same ignition key.
Are you confident that is the case today? I know it used to be the case like 30 years ago, but I thought that was fixed since. Or did the advent of GPS trackers allow them to go back to The One Key? :-)
Oh 50/50. I know for a fact that the fleet of haul trucks on my current project all share the same key, and the bulldozers and excavators from the same manufacturer do as well.

I expect that equipment in rental fleets are keyed differently, though.

Interesting, thanks. I've long since become a software dev with tender, callous-free hands so I have no idea what the current state is.
For a lot of cat equipment this is true.

Go to a caterpillar dealer, and you can ask for a new key by model number. They don't need serial numbers.

How many people have the bandwidth to download it?
I wonder if a partial download would be of value?
Yeah, not surprising at all. When I interned there, there was a whole onboarding segment about network security that constantly made reference to a huge hack that had apparently happened and IIRC slowed their internal email system to a crawl with the sheer volume of phishing emails flying around. Everyone knew about it and was very embarrassed. And yet they would let us take our personal laptops in and out and connect to the network with no real oversight, because they didn't have the funds to give everyone their own machine.
Thats really sad to hear. I used to think NASA would be some pinnacle of security but it is government I suppose.
> "The attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission," the NASA OIG said.

wait, what? ITAR REGULATION for Mars Missions??

from the training sessions they made me take ages ago, most everything about space-flight hardware and control systems is ITAR-restricted.
Not anymore. Now it's almost everything is EAR, and ITAR is restricted to a smaller subset nowadays. EAR is still painful but much less than ITAR - if you just want to use an EAR product and you are in a NATO country, handling the restriction is fairly smooth.
To mangle an old saying: A sufficiently advanced space program is indistinguishable from an intercontinental ballistic missile program.
And to quote a different famous author: "A reaction drive's efficiency as a weapon is in direct proportion to its efficiency as a drive."
This is also why it is silly to even consider defense against a hostile alien threat that arrives in our solar system. If they have a spacecraft capable of crossing interstellar distances then wiping out all life on Earth without warning is a trivial problem.
Don't get me started on the aliens in Harry Turtledove's WorldWar alt history. Being completely genre-naïve, they cross interstellar space and then proceed to fight WWII-era earthlings with approx F22-level technology and not unsurprisingly get bogged down in a stupid attritional war. Why didn't they just drop rocks on us from orbit?
Its a bit old, but amazing for some history of the modern system around Space.

The New Ocean by William R. Burrows.

Talks about the intentional setup for NASA TO be a 'civilian agency' and not military.

I work in aerospace. You'd be surprised at the triviality of what data gets covered under ITAR and security classifications.
Trivial by itself. Combined with other information, the trivial can paint a very clear picture.
I've seen the value of g (yes, Earth's gravitational field, the average one) labeled as ITAR restricted. There's plenty of truly trivial stuff that gets labeled that way.
Sometimes, sure. Not always.
Oh crap

Someone is about to build an entirely COMPLIANT space mission :/

Brace yourselves

Are those regulations for everyone's eyes? If I were an enemy, it would be interesting to learn that "Do not give specifications of equipment XYZ to the $ENEMY.". Then I'd know the existance of equipment XYZ, and I can probably tell my agents on the ground to snoop around for it/try to source it from the supplier/hack their network to get its specs.
ITAR obviously isn't focused on export to "enemies". If I export sensitive missile technology from America to New Zealand, an ally of America, that will still run afoul of ITAR and for good reason. Consider the scenario where New Zealand has lackluster counter-intelligence and $ENEMY is able to freely infiltrate New Zealand companies. In exporting missile technology to New Zealand, I have put that missile technology in a position where it can be more easily stolen by $ENEMY, even though I never exported a thing to $ENEMY. Could those same $ENEMY agents infiltrate an American company instead? Maybe/probably, but the US Government would prefers that attack surface be kept smaller than larger, and under American jurisdiction when possible.
MSL uses a RTG which means it has nuclear material onboard which means it falls under ITAR.

That said, I don't see where this is especially valuable to hackers at this point. There are much easier ways to steal nuclear material these days than to target the one on Mars.

Believe it or not, there is more to ITAR than annoying programmers with crypto export rules. All manner of cutting edge shit has obvious military applications and is covered by ITAR. ITAR may cover materials, radios, navigation systems, and much more. Any of those might plausibly be in a space probe. Various technologies relating to satellites in particular are covered.
Farming equipment and practices.
I'm curious if it was wired or wireless? Also was it just someones hobby raspberry with default creds or was it there for this purpose?
But how did the Pi get there? Was it just some NASA employee's project? Or was there physical intrustion and the Pi was part of the plan?
A lot of companies allow RPi's or Nuc's to be installed into the network by teams to setup interactive scrum boards and (CI) monitoring displays. For this reason they are littered with (personal) access tokens with broad permissions on CI and other important systems. Most of the time these have barely any configuration management or security best practices as the teams want to manage these themselves (Devops is what the developers call it, but there is hardly any Ops in there). Often this initiative comes from the actual Ops not being able to provide the services the developers need, for whatever technical or political reason .
I'm interpreting 'The OIG report said the hackers used "a compromised external user system" to access the JPL missions network.' as the Pi being a legitimate user's project.
> The report blamed the JPL's failure to segment its internal network into smaller segments

Network boundary can never provide strong enough security protection. No matter how small each segment is. Just because a device is in your network doesn't mean you can trust it.

Implement authnz correctly everywhere and make sure the system can verify "if you are who you say you are" is more efficient.

This was the old scare scenario for "Plug Computing" way back when. It was new that you could fit a capable linux system (>1GHz core, >.5GB RAM, network interfaces, bluetooth etc) into something that hung off a socket and looked just like any other power supply or dumb device or whatever.

Of course that was forseeing malicious placement of something that would be scanning for vulnerabilities, rather than a remote exploit of an unsecured device on a secure network.

I once worked with a company who on occasion sent people to very secure sites. (yes I've told this story before)

You arrived at the facility in a rental car with your keys, clothing, ID (credit cards were ok and could be left in the car), and anything you needed to do the job (laptop, hardware, whatever).

You were told to expect to leave with your clothes, keys, ID, and rental car (obviously the previously mentioned credit cards).

You parked at the gate, were blindfolded, and escorted to the place you did your job, and then the same process out.

NOTHING left the facility beyond those things, even the front gate. (Car was searched and anything in the car might be confiscated).

I honestly think that's a level of security (well maybe without blindfold) that many places will eventually have to adopt.

They kept your clothes too? If so, I hope they provided some substitute clothing, so you could avoid getting arrested when returning the car.
Bad editing on my part ;)

TY

I'm at NASA and a while ago I wanted to experiment with using Pi's to monitor experimental setups, instead of using full-on PCs as we do now, which would save a ton of money. Trying to get permission to put one on the network, even for just a quick test, was so difficult I gave up. And that was a few years ago, now we have so much mandatory compliance monitoring software, I don't know if it would even be possible anymore. Some of those packages may not be available for the Pi, even if it were running a supported OS like Ubuntu instead of Raspios. I understand why incidents like this one have made NASA management extra sensitive to IT security matters, but it sure feels like a creativity straight-jacket at times. There is not much fun in being an SA at NASA these days, I'm sorry to say.
> I wanted to experiment with using Pi's to monitor experimental setups, instead of using full-on PCs as we do now, which would save a ton of money.

Because the costs you think of are but a fraction of the costs that are involved in keeping them accounted for, updated, monitored etc.

I have these discussions with creative individuals far too often :)

The Rasperry Pi really isn't the point here. It's really about general bad security hygiene. The section labeled "HACKERS DESCRIBED AS AN APT" covers the actual problems that allowed this to happen. The NASA combined with Rasperry Pi components of the headline are more clickbait than anything.